Reverse Engineering The “Mastercool 52224-A”

I’m trying to get the raw temperature output of my Mastercool 52224-A IR thermometer for a project (big update coming)

I have seen this done in the past, the 2 ways i have previously seen was tapping the pads on the LCD it self and capturing the screen on a camera and running the image threw some kind of recognition algorithm

Pulling the raw LCD information it self sounds like a real pain, even if the display is not multiplexed and if the drive AC voltage is done just on the return pin this would still take 22+ pins, Capturing the screen is just a messy and overly complicated way of going about this as well

This is probably a good time to mention i have no idea if someone has done this exact same thing with this exact same model or variant before, I’m sure im not the first to do or try this but i really did not want to google too deep as i really wanted to figure this out on my own

Lets figure out a better way by cracking it open

(Click to enlarge)

A few things stand out here, an 8 pin SOIC at the top, probably EEPROM, The big black blob that looks like it contains the main processor and conversion, 2 well labeled headers, some test points, a 16 pin SOIC thats not populated, some SMD package thats unpopulated with headers

Breaking things down the 8 pin SOIC is a 93LC66B 16 bit 4k eeprom

The black blob looks like it has 2 dies under it, no xray to confirm

The 2 headers look promising

The unpopulated SMD package has an 0 ohm resistor across 2 pins, it looks to me like it was intended to be a quad op amp with 4 of the amps in use in series and it was chosen not to be used as a last minute thing, not a multi model thing due to the bodge resistor … maybe they thought they had all the dynamic range they needed without an amp, used an internal maybe more noisy amp in the ADC or used a different PIR sensor with built in amplification

That SMD package looks to me like some kinda temperature sensor that was used during development as none of the pins go out to the processor that i can tell

The other side of the PCB is interesting in its own right, for one i see 2 buttons that are not on the back, i see the model TN410 … i cant find anything online about this, the PCB thickness (this sounds odd, but minor changes in thickness can throw off case design drastically so its good to make it clear on your PCB for both the case designers and so the fab does not think about using different size materials if they are out of one)

Messing with those buttons, the lower display shows E 0.99 and i can bring that down to as low as E 0.7 … this could be an Error correction allowing a multiplier of the output but i think this is the Emissivity factor … if this is true adding buttons here might be useful in the future

So first things first lets look at that uppermost header, its labeled VCC, CD3, DCLK, DIO, GND, this appears to go directly in to the micro and is my best bet, DIO and DCLK sounds all the world to me like i2c, i took a header and my logic analyzer and just held the header in place with the analyzer attached to see what i get
What i got was interesting, the clock was very variable, the data was not held high, it was not clocked CAN, it was not SPI, it was not 1Wire, and if it was i2c it was very confusing as it looked like it was addressing 4 different things and not giving any useful information that did not look like it changed, this could possibly be the header to program the eeprom but clearly i was going nowhere with this.

Lets move on to the lower header, labeled M, G, C, D, V. G and V were clearly ground and power, M was connected to the trigger button (not mode as one would suspect) directly, C and D can only be Clock and Data. This header is also accessible from under the batteries hinting at its use in factory calibration or factory verification.

Hooking this up to the logic analyzer clock, data and trigger are all held high making me think i2c but i2c decoded as garbage, but under SPI we get some real data

4C 12 BA 18 0D
4C 12 5E 18 0D
53 00 00 53 0D
66 12 7B F3 0D
53 00 00 53 0D
66 12 7B F3 0D

Clearly something is in this, we have clear Word end but, and a start/identify bit 4C 53 and 66

I sat down for a couple of hours running several tests, collecting some data and trying to figure out what this means, and finally i figured this out

4C is the temperature measurement of the PIR (remote) sensor

66 is the ambient temperature

53 is empty, possibly an over range or error code of some sort showing that everything looks good

Lets ignore 53 and focus on 66 and 4C

The next 2 blocks of hex is the actual value

The next block is a checksum that is the first 3 blocks added together

The last bit is the stop/postamble bit

The 2 blocks that contain what we are interested in, the data, give us a high value, for example in 4C 12 BA 18 0D  we have 12 BA that equals 4794 in decimal, this value increases and decreases with the increase and decrease in temperature leading me to my conclusion that this is where i should be looking

It was a simple guess that the converter was 16 bit as its too big for 12 bit and 14 bit ADCs are quite rare and there is little sense in making one, especially because with the strangely soldered film capacitor labeled “intc” strongly indicates that it is an integration based ADC meaning the value is based on timing and making a 14 bit timer is kinda dumb

This looked correct and with a lot of fiddling i figured out the output equation is

(HexToDec(TempData)/16)-273.14375 = *C

(see edit at bottom of page)

This holds up fairly well across the whole range within what i assume is rounding error on the part of the converter and looks like this is compensated by the calibration coefficient 273.14375 appears a bit strange and a larger sample to calculate this would probably give a simpler number or a more accurate and better calibrated number, but the output result is well within the tolerance of the meter

Taking the same equation in to the values of the 66 preamble gives me a reasonably steady output over temperature indicating that this is the ambient sensor, placing the meter in the freezer for a few minutes and trying again confirms this, I’m not sure where this is taken, probably from next to the PIR sensor, but there is also a strange transistor under the integration capacitor, this could be sensing the temperature there

I have no way within reasonable length from my computer to create an over or under range temperature to see what preamble 53 is for but im not interested enough to find out

Now i just needed to take this header and move it somewhere more convenient, for this i hunted down in my piles of electronic scrap a connector and cable, I wanted to use a phone cord and phone jack for this as its a strong, recessed connection where i wont have to worry about it wiggling out or ESD causing any problems, but i could not for the life of me locate a phone cord … 2018 for you

I settled on a 5 pin JST connector that was used to connect to a USB port on a junked computer, Having loaned out my needle file set i busted out the dremel and made a real mess, but it would not be dodgy engineering without some dodgy engineering would it?



3 things i have learned that might help

  1. When bodging in a JST connector, use lots and lots of hot glue so nothing wiggles as much as an inch as pins tend to get pushed in, pulled out and the case likes to flex
  2. I repinned the connector to make the colors on the connector make more sense
  3. Getting hot glue off of pajama pants is not at all easy to try and avoid that

Next steps im going to open up python and learn python SPI on the RaspberryPi to try and create something that gives me a proper temp output for my project, Stay tuned!

Also i thought that i would include my notes to give you a scrambled, messy and misspelled insight in to my line of thinking as i was working this out

The notes are in the paste below

https://pastebin.com/DXKxvkSK

EDIT: It actually just occurred to me 3 days later that -273.14375 is very very close to -273.15 that is the offset between kelvin and celsius and i really do not think this is a coincidence and its also a real easy and smart way to make sure your output is also always above zero (unsigned)

-273.14375 worked better for me, this might be because of internal offset, this might be because of my very small sample size and rounding error, but either way if your doing this yourself-273.15 might be the better option

 

Advertisements

Noise Source Reverse Engineering and Improvements

I ordered a noise source from ebay for about $20USD, It came in good shape and working order just 2 weeks later. I say “[in] working order” rather loosely as the thing got hot, very very hot, easily over 70*c after just 10 minutes around the LNAs. Also it leaked quite a bit, properly terminating it and placing my cellphone on top of it caused me to lose reception almost immediately.

So, curious how it worked I got my flashlight and some reading glasses and started looking up part numbers. Soon after I was able to reverse engineer the unit (thanks in no small part by the mostly one layer design)

Not wanting to do a destructive tear-down I was unable to pull values of the caps but I think one can work them out.

The LNAs were interesting, I thought they were 2 different types but after looking up numbers it appears as if they are all the same SBB5089Z as U2 and U4 being manufactured by RFMD and U3 being manufactured by Sirenza Microdevices, Not sure why this is but both data sheets appear to be copy and pastes of each other

Another interesting aspect is they are driven directly from the 12v unregulated input and they appear to be relying solely on a 100R resistor to drop the voltage down to the 5v limit, not something I would have done with the cost of 5v regulators or even a zener diode but it appears to have worked.

Now how does this work? Well it appears to be a fairly common reverse biased diode noise source using a 24v zener diode supplied in what looks like a standard voltage regulator arrangement supplied with 38.5v, This is than AC coupled, put threw a 3dB attenuator then amplified by 60dB or so with 3 LNAs, put threw another attenuator than AC coupled to the output.

The first attenuator appear to be used simply to help maintain 50 ohms from the zener, and the last attenuator appears to simply not let the LNAs experience a high impedance if disconnected, This is a fairly common practice.

The 38.5v is created with a fairly standard and cheap MC34063AC DC-DC controller setup in a boost configuration. Its output is not as well filtered as I would like appearing to just have a few uF cap on the output.
Now let’s have a look at how we can improve this, What would make this unit more usable would be to pull away all this excess heat, we do this with an old hefty heatsink I have used on many projects I cut up. Next we must deal with the leakage, to do this I soldered some leads on to the ground leads of the LNAs (this will also help with some cooling) along with the ground lead of the DC-DC output cap, I than poked some holes in a piece of copper sheeting and soldered the leads to that copper piece as shown below

Step 2 was to place the module inside of an Altoids tin, this won’t give the best shielding but it will be enough to prevent any issues. After drilling out 2 holes for the new input jack and cutting a slit for the heatsink I than glued the heatsink to the bottom of the Altoids tin with a few springs to maintain a low impedance to ground, then glued the module to the top of that with some epoxy heatsink compound. Next was soldering the tin to the ground of the module wherever I could to prevent the creation of any sort of cavity filter, resonator, or oscillator, along with tacking down the copper shield.


One last little detail was poking a hole in the case to let the LED shine through, I than made a rudimentary light-pipe using a glob of hot glue and some copper tape to use as a reflector. It’s not great but the already bright and over driven green LED shined threw wonderfully!

Lets now have a look at how well it works from 25-1800Mhz

 

Noise Source Turned OFF

 

Noise source turned ON

NOTE: The dips at about 225Mhz and 450Mhz are due to a glitch in the software and are not actually present

As you can see it generates a good -50-60dB of noise, This eliminates any fear of radiating too much noise from your antenna under test while keeping it well above the -75dB noise floor of my reciever

 

Whats next? Well we will use this to characterize some antennas!